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Abstract 

In this paper, we introduce a symmetric -key Latin square image cipher (LSIC) for grayscale and color images. 
Our contributions to the image encryption community include 1) we develop new Latin square image encryption 
primitives including Latin Square Whitening, Latin Square S-box and Latin Square P-box ; 2) we provide a new 
way of integrating probabilistic encryption in image encryption by embedding random noise in the least significant 
image bit-plane; and 3) we construct LSIC with these Latin square image encryption primitives all on one keyed 
Latin square in a new loom-like substitution-permutation network. Consequently, the proposed LSIC achieve many 
desired properties of a secure cipher including a large key space, high key sensitivities, uniformly distributed 
ciphertext, excellent confusion and diffusion properties, semantically secure, and robustness against channel noise. 
Theoretical analysis show that the LSIC has good resistance to many attack models including brute-force attacks, 
ciphertext-only attacks, known-plaintext attacks and chosen-plaintext attacks. Experimental analysis under extensive 
simulation results using the complete USC-SIPI Miscellaneous image dataset demonstrate that LSIC outperforms or 
reach state of the art suggested by many peer algorithms. All these analysis and results demonstrate that the LSIC 
is very suitable for digital image encryption. Finally, we open source the LSIC MATLAB code under webpage 
https://sites.google.com/site/tuftsyuewu/source-code 



Index Terms 

Image encryption, Latin square. Substitution-permutation network. Confusion-diffusion property. Probabilistic 
encryption. 

L Introduction 

With ubiquitous digital images and digital media devices all over the world, the importance of image security 
has been noticed and emphasized in recent years [1]. In the real world, digital cameras capture the real scene 
in the format of digital images, and are widely used in many digital devices such as smart phones, IPADs, and 
laptops. In the virtual world, digital images, including those taken from cameras, scanned documents or pictures, 
and computer-aid virtual paintings and so on, are the most common elements within a webpage besides texts on the 
World Wide Web. Due to extensive information within a digital image, divulged image contents sometimes cause 
severe problems for its owner(s). In many cases, such information leakage seriously invades personal privacy, e.g. 
the malicious spread of photos in personal online albums or patients' medical diagnosis images, and furthermore 
it may cause uncountable losses for a company or a nation, e.g. a secret product design for a company or a 
governmental classified scanned document. 

Conventionally, digital data is encrypted by bit-stream ciphers and block ciphers IH, ||3l, H, Q. The two 
well-known block ciphers are the Digital Encryption Standard (DES) 101 and its successor Advanced Encryption 
Standard (AES) fS]. A digital image is a specific type of digital data and can be encrypted by these conventional 
ciphers. However, they are not ideal ciphers for digital images because of 

• Insufficient large block size: digital images are normally of several kilobits (Kb) and megabits (Mb), while 
conventional bit-stream/block ciphers commonly has a block size less than 256 bits. 

• Neglect of the nature of digital images: digital images are of two-dimensional data, while conventional bit- 
stream/block ciphers encrypt an image by indirectly encrypting a pixel sequence extracted from this image. 
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The first defect implies the low efficiency of encrypting a digital image using a bit-stream/block cipher lUl, [SI, 
|[7J. The second defect implies that a pixel sequence of an image is of high information redundancy with a tilted 
histogram and is distinctive from a common bit sequence input to a bit- stream/block cipher. Therefore, image 
encryption should be adaptive to image properties and natures H], 

In general, digital image encryption methods can be classified into two groups: perceptual-level and bit-level. 
The perceptual-level image encryption methods intend to transform an image into a unrecognized one using a fast 
algorithm, e.g. selective encryption techniques [8J, [9J, [10,1 and optical encryption techniques lOTI . lfT2l . |il3|. In 
this case, images are believed to be valuable only within a certain time period e.g. a couple of hours. To some 
extend, therefore, an encrypted image by using perceptual-level image encryption is insecure because it maybe 
cracked after a sufficiently long time. In contrast, the bit-level image encryption aims to change an image into a 
random-like one. In this situation, images are believed to be valuable for a quite long time period e.g. twenty years. 
Nowadays, the bit-level image encryption methods are mainly based on chaotic systems Q, ||6|, |[T4l . |[T5l . |[T6ll . 
lITTl . Although many existing chaotic image encryption algorithms have several good properties for cryptography 
security, they have defects in the following aspects regardless of the chaotic systems being used: 

• A chaotic system is defined on real numbers while a cryptsystem is defined on finite numbers. 

• A chaotic system may lose its chaotic nature completely and become periodic when it is decretized. 

• A chaotic system's parameters and initial values can be estimated by a number of existing tools and methods. 
The first defect implies the difficulties of software and hardware implementation for a chaos-based image encryption 
method because round-off errors in real number quantizations may lead nonreversible functions for encryption and 
thus make the decryption process impossible ifTSl . The second defect implies a chaotic image encryption method 
could be completely nonchaotic and thus vulnerable to attacks fT9ll . The third defect shows these chaotic image 
encryption method may be broken using existing tools and methods after a long-term observation 11201 . ET II. Besides 
chaotic image encryption methods, nonchaotic image encryption methods are also researched by using various 
random-like patterns e.g. cellular automata ll22l . wave transmission model lITSl . Sudoku matrices |[23l . P-Fibonacci 
transform ll24l . and magic cubes ll25l . ll26l . Although nonchaotic image encryption methods eliminate drawbacks 
of chaotic encryption methods especially those round-off errors, many of them do not have good confusion and 
diffusion properties 1,27 J as in chaotic encryption methods, due to the fact that the used random-like patterns are 
not truly random-like. 

To address above mentioned problems in bit-level image encryption, we introduce a new Latin square image 
cipher in this paper. It is a nonchaotic image cipher and directly defined on finite numbers, and thus can be 
effectively implemented with accuracy and ease in software and hardware. LSIC uses a 256-bit encryption key to 
generate keyed Latin squares for encryption/decryption, whose key space is large enough to resist today's brute force 
attacks and could be expended to even larger sizes if needed. LSIC contains three Latin square based encryption 
primitives, namely Latin Square Whitening, Latin Square Substitution and Latin Square Permutation, all of which 
are dependent on a keyed 256 x 256 Latin square. Hence, LSIC is very sensitive to key changes. Further, these 
encryption primitives construct LSIC in a SPN |[28ll . a structure proven to be effective and efficient to encrypt images 
with good confusion and diffusion properties |[27l . In plus, we integrate the probabilistic encryption ||29l . |[30ll in 
LSIC by embedding random noise in the least significant bit-plane of a plaintext image. Consequently, encrypting 
a plaintext image multiple times will generate distinctive ciphertext images even though the encryption key is 
unchanged. This property helps LSIC to achieve a higher level of security and it completely prevents an adversary 
to sense identical plaintext images by observing identical ciphertext images. We demonstrate the robustness and 
effectiveness of LSIC using extensive theoretical analysis, simulation results and comparisons to peer algorithms. 

The rest of the paper is organized as follows: Section II gives a brief review on preliminary materials. Section III 
introduces the new Latin square image cipher including its key schedule, probabilistic encryption, and Latin square 
based encryption primitives. Section IV discusses the simulation database information, extensive simulations results 
and cipher encryption and decryption speed. Section V analyzes the cipher security theoretically and experimentally 
under various attacks, and finally Section VI concludes the paper and give discussions on open questions in LSIC. 

II. Background 

A. Latin Squares 

A Latin square of order is an x array filled with a symbol set of N distinctive elements, with each symbol 
appears exactly once in each row and each column. The name Latin Square is motivated by the mathematician 
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Leonhard Euler, who used Latin characters as symbols. 

Mathematically, we can define a Latin square L of order via a tri-tuple function of (r, c, i) as follows 



fL{r, c,i) 



1 , L{r,c) = Si 
, Otherwise 



(1) 



where r denotes the row index of an element in L with rEN = {0,l,-- - ,A^ — 1}; c denote the column indx of 
an element in L with c G N; i denotes the symbol index of an element in L with / € N; and Si is the ith symbol 
in the symbol set S = {5o, ^i, • • • , Sat-i}. 

Therefore, if L is a Latin square of order A^, then 

• for arbitrary c, i € N, we have 



N-l 



XI fL{r,c,i) = 1 



for arbitrary r, i G N, we have 



r=0 



N-l 



XI fL{r,c,i) = 1 



(2) 



(3) 



c=0 



which implies that each symbol appears exactly once in each row and each column in L. 

Fig. [T] shows examples of Latin squares at different orders with various symbol sets. It is worthwhile to note 
that the popular Sudoku puzzle ||3T| . ||23]| is also a special case of Latin square with additional block constraint as 
shown in Fig. [TJd). 
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(a) 3 X 3 (b) 4 X 4 

Fig. 1. Latin square examples 



(c) 5 X 5 



(d) 9 X 9 



Throughout of the paper, we are interested in x Latin squares with the symbol set of integers from to 
N-l, i.e. S = {0, 1,-- - ,Ar-l}. 

B. Latin Square Generator 

Although Latin squares can be generated via a variety of means, for the sake of simplicity we use Algorithm 1 
described below for Latin square generation in the paper. 



Algorithm 1. A Latin Square Generator L = LSG{Qi,Q2) 

Require: Qi and Q2 are two length-Af sequences 
Ensure: L is a Latin square of order A'^ 

Qseed = SortMapiQi) 

Qshift = SortMap{Q2) 

for r = : 1 : A - 1 do 

L{r, :) = RowShift(Qseed, Qshift{r)) 

end for 



In Algorithm 1, both Qi and Q2 are length- A^ sequences from a pseudo-random number generator (PRNG), e.g. 
Linear Congruential Generators (LCG) 132]; SortMap{Q) is a function which finds the index mapping between 
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a sequence Q and its sorted version Q* in the ascending order; and RowShift{Q,v) ring shifts the sequence Q 
with V elements towards left. 

For example, if we want to generate a 4 x 4 Latin square L with 

Qi = [.1, .6, .9, .7] and Q2 = [.3, .9, .4, .2] 

Then function SortMap{.) first calculates the sorted version of the input sequence and obtains 

= [.1,.6,.7,.9] and = [.2, .3, .4, .9] 

it then compares Qi with Q\ and Q2 with Q2 and obtains the element mapping sequences as 

Qseed = SortMapiQi) = [0, 1, 3, 2] 

and 

Q shift = SortMap{Q2) = [3,0,2, 1] 
, where the permutation sequences Qseed and QsUft indicate for i G {0, 1, 2, 3} 

Q*i {Qseed{i)) = Qi (i) and QI {QshifS)) = Q2 (i) 

Finally, function RowShift((5, f ) left shifts Qseed with the amount v = Qshift{f) indicated by the rth element in 
Q shifts and assign this row to be the rth row in L. We therefore have the 4x4 Latin square L: 

"2013" 

13 2 

3 2 1 
_ 1 3 2 _ 

whose 1st row is obtained by left shifting Qseed for 3 units; 2nd row is obtained by left shifting Qseed for unit; 
3rd row is obtained by left shifting Qseed for 3 units; and 4th row is obtained by left shifting Qseed for 1 unit. It 
is noticeable that this shifting amount sequence {3,0,2, 1} is indeed Q shift- 

C. Substitution-Permutation Network 

In cryptography, an input message and its corresponding output message of a cryptsystem are referred to as 
plaintext and ciphertext, respectively. A substitution-permutation network is a cipher structure composed of a 
number of substitution and permutation ciphers with multiple iterations. This structure is widely used in many 
well-known block ciphers, e.g. Rijndael i.e. AES |5|, and ensures good confusion and diffusion properties ETl . 
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Fig. 2. A -round substitution-permutation network for block ciphers 

A typical M-round SPN for block ciphers has a structure shown in Fig. [2] Conventionally in a SPN, plaintext, 
commonly in the form of a bit stream and denoted as P, is the original message to be encrypted; Key Whitening 
denotes an operation to mix the plaintext P with a round key; S-Box denotes a substitution-box, which maps one 
input byte to another in a deterministic way; P-Box denotes a permutation-box, which shuffles bit positions within 
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the input bit stream in a deterministic way; and ciphertext denotes the output bit stream C, which is an encrypted 
message by the SPN. The decryption process of a SPN cipher is simply to reverse the arrow directions of all 
processing and to use inverse S-Box, and inverse P-Box instead. 

The classic SPN ciphers are able to obtain good Shannon's confusion and diffusion properties |[27l . For the 
diffusion property: if one changes one bit in plaintext P, the corresponding ciphertext C changes in many bits. 
This one-bit change results in a different byte after passing through a S-Box, then leads more byte changes after 
passing through a P-Box, so on and so forth in each cipher round. Finally, one-bit change leads to significant changes 
in ciphertext C. The confusion property is the similar to the diffusion property. One bit change in encryption key 
K, will spread over all bits and result significant changes in ciphertext C. 

D. Psychovisual Redundancy in Image 

As a typical type of two-dimensional data, digital images contain many kinds of redundancies |[33l : 1) coding 
redundancy, which requires to express a pixel with the number of bits than the optimal number; 2) temporal or 
spatial redundancy, which implies strong correlations between pixels within a neighborhood; and 3) psychovisual 
redundancy, which is visually negligible details in the human vision system. The first two redundancies about 
real visual information are commonly removed by lossless compression techniques, such as Huffman coding and 
lossless predictive coding. In contrast, psychovisual redundancy within an image is not essential for normal visual 
processing, and thus it is commonly removed by lossy compression techniques, such as quantization techniques 
used in JPEG f34l. Besides image compression, psychovisual redundancy is also commonly used for data hiding, 
especially for the least significant bit-plane (LSB) data hiding techniques |l35l, |[36l . ll37l . which encode secret 
information within these unintelligible redundancies for human visual perception. 

Fig. [3] shows an example of using the psychovisual redundancy for data hiding in the least significant image 
bit-plane. The secret embedded image Fig. [3]-(c) contains identical bit-planes to those in the original image -(a) , 
except its least significant bit-plane is modified by bitwise XORing Olsb and secrete binary image /. As can be 
seen from this example, the secret embedded image is visually indistinguishable from the original one, although 
the least significant bit-plane has been dramatically changed. 




Fig. 3. Psychovisual redundancy used in LSB data hiding - (a) original image Lenna 0\ (b) Olsb', (c) secret embedded image E\ (d) 
Elsb\ and (e) secret information I = Olsb Elsb- 

Consequently, psychovisual redundancy in an image provides us a feasible way of introducing true randomness 
in an image without harming the image visual quality and expanding the image size for image encryption. More 
details are discussed in future sections. 

III. Latin square image cipher 

A. Overview 

To standardize the encryption/decryption processing, the cipher processing block is set to a 256 x 256 grayscale 
block, i.e. its pixel intensity is denoted as a 8-bit byte. In the rest of the paper, we use P to denote a 256 x 256 
plaintext image block, C to denote a corresponding ciphertext image block of P, L to denote a keyed Latin square 
of order 256, and K to denote a 256-bit encryption key. 

The new proposed Latin square image cipher is of a SPN structure with eight rounds as shown in Fig. |4] 
It is composed of the probabilistic encryption stage noise embedding in LSB and the SPN stage containing 
three encryption primitives Latin Square Whitening, Latin Square Substitution and Latin Square Permutation. It 
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is worthwhile to note that this SPN is of a loom-Uke structure designed for image data, which encrypts plaintext 
image along rows and columns iteratively. In the rest of this section, we will discuss these stages and the detail 
encryption/decryption algorithms for LSIC. 
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Fig. 4. Overview of the Latin square image cipher 



B. LSB Noise Embedding 

Probabilistic encryption ll38l . |[39l means to use randomness in a cipher, so that this cipher is able to encrypt 
one plaintext with the exact same encryption key to distinctive ciphertexts. It is well known that such randomness 
is crucial to achieve semantic security BOl . 

In this paper, we introduce such randomness by embedding noise in the least significant bit-plane of an image. 
More specifically, we XOR a randomly generated 256 x 256 bit-plane with the least significant bit-plane of the 
plaintext image, where the generation of this random bit-plane is completely independent of the encryption key. 

Fig. [5] shows an example of LSB noise embedding. Once again, these introduced noise in LSB does not affect 
any image visual quality from the point view of human visual perceptibility. However, any slight change in plaintext 
here will lead to significant changes in ciphertext after it is encrypted by by the SPN. 




Fig. 5. Noise embedding in LSB - (a) plaintext Lenna P with histogram (b) noise embedded plaintext P' with histogram, and (c) |P — P' 
with the difference of histograms 
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C. Key Translation 

In conventional block ciphers, keys are directly used without translation, e.g. in key whitening process, but the 
proposed LSIC uses a 256-bit encryption key K with key translation to eight key-dependent Latin squares of order 
256 before using in LSIC. Specifically speaking, for a given 256-bit encryption key K, we 

1) Divide the encryption key K using function SubKeyDiv into eight 32-bit subkeys, i.e. 

2) Generate pairs of pseudo-random sequences {Q\,Q2)^ {Q\^Q\)^ ■ ■ ■ i (QijQl)' ^^^^ pair with 2 x 256 ele- 
ments by using PRNGs by feeding these subkeys as seeds. 

3) Generate key-dependent Latin squares i.e. Lq,Li,--- , Lg with the order of 256 by feeding these pseudo- 
random sequences in Algorithm 1. Namely, Vn G {0, 1, • • • , 8}, we have 

Ln = LSG{Qi, Q2) 

The first two steps can be realized via Algorithm 2 with encryption key K and M = 8. 



Algorithm 2. Key Dependent Sequence Generator (Qi, Q2) = KDSG{Key, M) 



Require: A' is a 256-bit key 
Require: n is a nonnegative integer 

Ensure: Qi = {Qi, ■ ■ ■ , Qf^} and Q2 = {Q2, ■ ■ ■ i Q^^} n-element set of random sequences, each of a lengtli 256. 
Ko = K 

forn = : 1 : Af do 

[fcOi fcl, ■ ■ ■ , fc?] = SubKeyDiv(K„) 
for i = : 1 : 8 do 

g^(0) = PRNGikiY 

for j = 1 : 1 : 63 do 

q'ij)=PRNG{q'(j-l)) 

end for 
end for 

= \gO(o : 31),gl(0 : 31),--- ,g'^{0 : 31)] %^ 
= [g0{32 : 63),(?i(32 : 63),--- ,(?''(32 : 63)] 
K„+i = [gO(63),qi(63),-- - ,g''(63)] 
end for 



All PRNGs can be used in Algorithm 2, but not all of them are secure for cryptography, for example, the linear 
congruential generator [32 1. Using cryptographic secure PRNGs in Algorithm 2 can further enhance the cipher 
security, for example, PRNGs from eSTREAM project ^ with nonce [ 411 . 



D. Latin Square Whitening 

In the conventional SPN for block ciphers, the Whitening stage normally mixes a plaintext message P with a 
round key, e.g. XOR operation in |i4J, tSj], such that 

• The statistics of the plaintext message P is redistributed after mixing. 

• The relationship between ciphertext and encryption key is very complicated and involved. 

In image encryption, a plaintext message is an image block, P, composed of a number of pixels. Each pixel is 
represented by several binary bits (a byte). Therefore, XOR whitening scheme become inefficient for image data, in 
the sense that it requires to extend an encryption key to be a equal size to a plaintext image, and to impose bitwise 
XOR to byte pixels. And this type of image encryption is called a naive algorithm in [42J. Since the objective of 
key whitening is to mix plaintext data with encryption keys, we therefore define whitening as a transposition cipher 
B3l over the finite field GF{2^) for image data, as shown in Eq. (|4]) 

y = [x + /]2s (4) 



'Any PRNG can be used here by taking the key as its seed. 

^q^{ji : j2) denotes a vector of pseudo-random numbers with ele ments [q'O 'i), q^{ji + 1), • • • , <l'{j2 — 1), 9'(j2)]. 
^The eSTREAM project is available under http://www.ecrypt.eu.org/stream/ as the date of 04/10/2012. 
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where x is a byte in plaintext, / is a corresponding byte in the keyed Latin square, y is the whitening result and 
[.]28 denotes the computations over GF{2^). Above whitening process can be easily reversed by applying Eq. Q. 



[y + i] 



2» 



(5) 



In image encryption, plaintext byte x is a pixel, say it is located at the intersection of rth row and cth column 
i.e. X = P{r, c). Now let I = L{r, c) be an element located at the corresponding position in the keyed Latin square 
L, and y be the ciphertext byte with y = C{r, c), then we have the pixel-level equation 



(6) 



Cir,c) = [SRiPir,c),[D]3) + Lir,c)]^ 
P{r, c) = SR {[C{r, c) + L{r, c)]2b, [D]^ 

where symbol n denotes the current round number (n G [0,7]), D = L(0, 0) is the rotating parameter, and SR 
denotes the spatial rotating function {X, d) rotates an image X according to different values of the direction d as 
defined in Eq. (|7]) 

f X, ifd = 

Y = SR{X, d) = \ Flip X up ^ down, if d = I (7) 
FUp X left -f right, if d = 2 



Notice that if Y =SR(X, d), then the following identity always holds 

X = SR(y, d) 



(8) 



LSW : 



(9) 



Apply key whitening for all pixels using the pixel-level Eq. (|6]l, the Latin Square Whitening{LSW) in the image- 
level then can be denoted as 

' C = Ecr^{L,P,D) 
P = Derail, C,D) 

Therefore, we can restore the plaintext image block P from the ciphertext image block C using Eq. Q. 

Fig. [6] shows an example of Latin Square Whitening, where the first row shows images and the second row shows 
corresponding histograms of these images. From this example, it is easy to verify that the ciphertext image after 
the Latin Square Whitening is unrecognizable and its pixels are redistributed to uniform-like. 
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Fig. 6. A Latin Square Whitening example - (a) plaintext Lenna P, (b) reference Latin square L, and (c) ciphertext C — Ecr^uiL, P, 0) 



E. Latin Square Row and Column Bijections 

Since Eqs. ([2]) and Q hold, each row and each column in a Latin square L of order is a permutation of the 
integer number sequence [0, 1, • • • , N — 1], we can define bijections (one-to-one and onto mapping) by mapping 



WU et al. 



9 



\Col 
Ro^^\ 



44 



62 



Latin Square L 



67 



56 



255 



86 
71 



77 



35 



FRMiL, r,x) 
FRM{L,c,x) 



1 
44 11 
2 



255 
77 
35 



X 





1 




r 




c 




255 


FCM(L,x,r) 


4 


35 




9 




62 




41 


FCM(L,x,c) 


12 


1 




67 




3 




56 



Fig. 7. Examples of building forward row mappings and forward column mappings using a Latin square 



this integer number sequence to either a row or a column in a Latin square, which is a permutated sequence of 
the integer number sequence. In other words, we are able to construct forward and inverse row mapping functions 



(FRM and IRM) with respect to the rth row in L as shown in Eq. (10 1, and also forward and inverse column 
mapping functions (FCM and ICM) with respect to the cth column in L as shown in Eq. (Ill, where x and y 
denote the input and output of the mapping functions, respectively. 

( y = FRM{L, r, x) = L{r, x) 

1 X = Ii2M(L, r, y) = arg max (/i(r, z, y)) ^^^^ 

r y = FCM{L,x,c) = L{x,c) 

\ X = /CM(L,y,c) = arg max (/L(z,c,y)) ^^^> 

where /l is the tri-tuple function defined in Eq. ([T]l. Its maximum is equal to 1, i.e. fL{r,x,y) = 1, only for the 
column number x satisfying the constraint, L(r, x) = y. Further, we have row mapping identities hold for arbitrary 
X and y within a Latin square L: 

' IRM{L,r,FRM{L,r,x))=x 
FRM{L,r,IRM{L,r,y)) = y 

Similarly, we also have column mapping identities as follows: 

ICM{L,FCM{L,x,c),c) = x 

FCMiL,ICM{L,y,c),c) = y ^^^^ 

Fig. [7] shows FRM and FCM functions defined by a Latin square. As can be seen, given a row number r, the 
effect of forward row mapping is to use this Latin square as a look-up table and to find the corresponding element 
in row r. Similarly, given a column number c, the effect of forward column mapping to use this Latin square 
as a look-up table and to find the corresponding element in column c. Such nice property is directly from the 
constructional constraint in a Latin square. 

Since a A^th order Latin square has N rows and N columns, there are N bijections from N rows and another 
bijections from N columns in the Latin square. It is well-known that a bijection can be directly used as a P-Box 
ll28l and can also serve as a S-Box 1281 . We therefore are able to construct S-Boxes and P-Boxes from a Latin 
square. 



F. Latin Square Substitution 

An S-Box in cryptography is a basic component performing byte substitution. Each S-Box can be defined as 
a bijection, also known as a one-to-one and onto mapping. In image encryption, an image pixel is commonly 
represented as a byte, i.e. a sequence of bits. For example, 8-bit grayscale image has 256 gray intensity scales with 
each intensity scale represented in an 8-bit sequence. 
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Because of the existence of FRM/IRM and FCM/ICM bijections in a Latin square, we are able to perform byte 
substitution in an image cipher using bijections from rows and columns in a Latin square. The substitution with 
respect to a row in a Latin square is called Latin Square Row S-box{LSRS) in this paper: 



LSRS : 



C = Ecrl"'"{L,P) 
p = Dcrl'^{L,C) 



(14) 



In regard to pixel-level function of LSRS, each ciphertext byte is determined by the FRM function (see Eq. ( [TO] )) 
using the keyed Latin square L with function parameters given by plaintext bytes and ciphertext bytes as follows 



Ecrl""" : C(r, c) 



FRM (L, C(r - 1, c),P{r, c)) , if r ^ 
FRM {L,0,P{r,c)) , if r = 



(15) 



Clearly, plaintext bytes then can be perfectly restored from ciphertext bytes, if we use IRM instead of FRM as 
follows 

ran. f I RM {L , C {r - 1, c) , C {r, c)) , if r ^ 

IRM {L,0,C{r,c)) , if r = 



Dcr™'" : P{r, c) 



(16) 



Similarly, we use bijections from columns in a Latin square to perform byte substitutions. And this is called 
Latin Square Column S-box{LSCS) i.e. 



LSCS : 



C = Ecrf\L,P) 



P = Dcrf\L,C) 

and the corresponding LSCS encryption and decryption process then can be defined as: 

Ecrf : C(r, c) 



(17) 



FCM (L, P{r, c), C(r, c - 1)) , if c / 
FCM{L,P{r,c),0), if c = 



DcrfP{r, c) 



(18) 
(19) 



ICM {L, C{r, c),C{r, c - 1)) , if c / 
ICM{L,C{r,c),0), ifc = 

Fig. [8] shows encryption results of Latin Square Row S-box and Latin Square Column S-box. As can be seen, 
the plaintext image block P becomes unrecognizable after applying either LSRS or LSCS. Histogram analysis also 
shows that the statistics of the pixel intensity changes dramatically after substitution. 




^^^^ 



(b) 




50 100 150 200 260 



50 100 150 200 260 





^^^^^^^^^^^^^^ 

(d) 




00 160 200 260 



Fig. 8. A Latin Square Substitution example - (a) plaintext P: Lenna Image, (b) Latin square L, (c) ciphertext Cr ~ Ecrl°™ (L, P), and 
(d) Ciphertext Cc = Ecrl°\L,P) 



The Latin square row/column substitution defined above has excellent diffusion properties. One pixel change 
in the plaintext P will diffuse to a column/row of pixels after a round of LSRS or LSCS. This diffusion quickly 
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spreads to the entire ciphertext image in several cipher rounds. 



G. Latin Square Permutation 

Unlike a S-Box performing byte substitution, a P-Box performs byte shuffling or scrambling. Each P-Box can 
also be defined as a bijection f28l. 

If we consider both input x and output y in FRM and IRM as indices (see Eq. ([T0|), then FRM defines a mapping 
{0, 1, • • • , 255} — 7- {0, 1, • • • , 255} and IRM defines the corresponding inverse mapping. We therefore are able to 
define the Latin square row p-box (LSRP) with respect to rows in a Latin square L as follows, 

roRp./ C{r,Cy) = P{r,FRM{L,r,c,)) 

^"^^ • \ P{r, c,.) = C (r, IRM{L, r, c,)) ^^"^ 

where Cx and Cy denotes the column indices before and after mapping. Consequently, for any pixel in P and its 
corresponding pixel in C are in the same row r after LSRP; and only column indices change before and after 
mapping with relationship Cy = FRM{L,r,Cx) holds. 

Similarly, we can also construct Latin Square Column P-box(LSCP) with respect to columns in a Latin square 

as 

rqrP- C{ry,c) = P{FCM{L,rx,c),c) 
p(rx,c) = CiICM{L,ry,c),c) 

In order to achieve better performance, we construct our Latin Square Permutation by cascading LSRPs s and 
LSCPs as follows 

C7(r, c) = C*{FCM{L, r, c), c) (22) 
C*{r, c) = P(r, FRM{L, r, c)) (23) 

In general, we write this Latin Square Permutationfunction as 

LSP-i ^ = (24) 




^^^^^^^^^^ 












(e) 



Fig. 9. A Latin Square Permutation example - (a) plaintext Lenna P, (b) Latin square L, (c) ciphertext with only LSRP, (d) ciphertext 
with only LSCP, and (e) ciphertext with LSP C = Ecrp{L, P) 

Fig. [9] shows permutation results of using LSRP, LSCP and LSP. It is clear that cascading LSRP and LSCP in 
LSP helps LSP to achieve a better pixel permutation performance in the sense that, pixels in its ciphertext image 
become more random-like and make the ciphertext image content unintelligible. 



H. Encryption/Decryption Algorithms 

After constructing Latin square based encryption primitives for image data, we now are able to construct the 
SPN cipher as shown in Fig. |4] Algorithm 3 and 4 describe the encryption and decryption process of the Latin 
square image cipher, respectively. 

''LSBNoiseEmbedding could be any function to embed random binary noise in the least significant bit-plane of a plaintext image, e.g. a 
function randomly change the parity of a plaintext pixel on its LSB. 
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Algorithm 3. Latin Square Image Cipher- Encryption C — <£{P, K) 
Require: _ftr is a 256-bit key 

Require: P is a 256 x 256 8-bit grayscale image block 
Ensure: C is a 256 x 256 8-bit grayscale image block 

(Qi,Q2) = KDSG{K,8) 
forn = : 1 : 7 do 

if n == then 

Clsp = LSBNoiseEmbedding(P)'' 

end if 

L„ = LSG{Q^,Q1^) 
D„ = L„(0,0) 

ClSW = Ecryj{Ln,CLSP,Dn) 

if mod{n, 2) ^ then 

Clss = Ecrr'{L„,CLSw) 
else 

CLSS = Ecrl''^(L^,CLSw) 
end if 

Clsp = Ecrp{L„,CLSs) 
end for 

Lg = L5G(Qf,Qi) 

Ds = La(,0,0) 

C = Ecr^{Ls,CLSP,Du) 



Algorithm 4. Latin Square Image Cipher- Decryption P = S)(C, K) 
Require: K is a 256-bit key 

Require: C is a 256 x 256 8-bit grayscale image block 
Ensure: P is a 256 x 256 8-bit grayscale image block 

(Qi,Q2) = KDSG{K,8) 
forn = 7 : -1 : do 
if n == 7 then 

Lg = iS'G(Qf,Q|) 
Dg = 1,8(0,0) 
Plsw = Dcrm{Ls,C,Ds) 
end if 

L„ = LSG(Q^,Q1^) 
D„ = L„{0,0) 

Plsp = Decp{Ln,PLsw) 
if mod{n, 2) ^ then 

PLSS = Dcr';'''{Ln,PLSp) 
else 

PiSS = S<°"'(in,PLSp) 

end if 

Plsw = Dcriu{L„, Plss, Pn) 
end for 
P = Plsw 



I. Discussion 

Our design criteria behind the Latin Square Substitution are to achieve the following objectives, 

1) A ciphertext image is very sensitive to any slight change in a plaintext image. 

2) A deciphered image is insensitive to slight change in a ciphertext image. 



In practice, Latin Square Substitution is of an asymmetric structure as shown in Fig. 10 in the sense that encrypting 
one plaintext byte requires one plaintext byte and one ciphertext byte, while decrypting one ciphertext byte requires 
two ciphertext byte but no plaintext byte. This process is similar to weave a thread of ciphertext bytes on the 
ciphertext image, which has to be done by intersecting the longitudinal threads of plaintext bytes. As a result, 
changing one pixel in a plaintext image influence all pixels after it in its row in the first encryption round, further 
all pixels after these influenced pixels in corresponding columns in the second encryption round, and then more 
pixels in the third encryption round, so on and so forth until the last round. As a result, this small change in 
plaintext image will lead to a completely different ciphertext image. In contrast, changing one pixel in a ciphertext 
image only leads a two-pixel-change in the first decryption round, and at most 2^ = 256 pixel changes in the 
deciphered image. Hence the Latin Square Substitution indeed achieves both goals above and gains encryption 
diffusion properties against plaintext change and decryption robustness against ciphertext noise simultaneously. 
More results and examples about these two abilities will be discussed in future sections. 
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Fig. 10. Latin Square Substitution has an asymmetric structure for encryption and decryption 



The proposed Latin square image cipher is carefully designed with respect to image data. We use the psychovisual 
redundancy within an image and realize the probabilistic encryption by introducing random noise in the LSB of a 
plaintext image block. We also notice the information redundancy within adjacent image pixels, which might lead 
to information leakage by estimating a pixel's intensity from its neighbors. We break these high correlated neighbor 
pixels by applying Latin Square Whitening, which shifts pixels within a homogenous region to random-like in the 
sense that shifting amounts of any two highly correlated pixels within a row or a column in the homogenous region 
are always different. This way prevents the prediction of a pixel's intensity from its neighbors and thus decorrelates 
these pixels. In addition, Latin Square Whitening also allows to spatial transform a plaintext image in a random-like 
manner. Further our proposed Latin Square Substitution substitutes pixel bytes along rows and columns iteratively 
like weaving in a loom, if we consider a row of pixels is a longitudinal thread and a column of pixels is a latitudinal 
thread. Finally Latin Square Permutation shuffles plaintext image pixels all over the domain. In summary the SPN 
used in LSIC differs from the conventional SPN block cipher [,28,1 in: 

• Cipher Object: LSIC is designed for two-dimensional images while a conventional SPN block cipher works 
for one-dimensional bit streams. 

• Processing Unit: LSIC processes image data byte by byte while a SPN block cipher encrypts data bit by bit. 

• Cipher Structure: LSIC is of a loom-like processing, which includes spatial flipping and iterative substitution 
along rows and columns. 

• Parametric Processes: LSIC generates dynamic Latin Square Whitening, S-Box and P-Box while processes in 
a SPN block cipher are static and key independent. 



IV. Simulation Results 

A. Experiment Settings and Dataset 

We perform the following simulations using a computer under MATLAB RlOlOa environment with a Windows 
7 Operating System, QGh memory and Intel Core2 2.66GHz CPU. Test images are from the Miscellaneous dataset 
in the USC-SIPI image database^. The detailed information about these test images are listed in Table |l] 

Although we believe the performance of an image cipher should be tested over a fairly large dataset, e.g. the USC 
SIPI Miscellaneous dataset, the analysis of many peer image encryption methods are merely about a small number 
of test images e.g. Lenna image. Therefore, we perform fair comparisons between the proposed LSIC and peer 

methods 0, im, im, na, im, m, ma, isi, i47ii, gsi, im, im, ied, im, m, iimj. in three following 

aspects: 

• If peer methods have performance reports on Lenna image, we compare the performance of LSIC with those 
methods on the identical Lenna image. 

• If peer methods have the accessible source code (Mao et al. 2004 fS\) or the executive file {e.g. bmpPacker^) 
online, we compare the performance of these methods with LSIC over the entire Miscellaneous dataset. 

• If peer methods have performance reports also on the entire Miscellaneous dataset already (Pareek et al. , 
2006 1 54 1), we directly cite these reports for comparisons. 

Furthermore, we turn off LSBNoiseEmbedding function in all simulations because we want to: 

^USC-SIPI image database is a public image database held by the University of South California, available at http://sipi.usc.edu/database/ 
as the date of 04/10/2012. 

^bmpPacker is an encryption software containing many classic block ciphers written by Jens Godeke. Only its AES cipher is used in our 
simulations. This freeware is available on: |http://www.jens-goedeke.eu/tools/bmppacker/| as the date of 04/10/2012. 
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TABLE I 

USC-SIPI Miscellaneous DATASET INFORMATION 



1 

Fig. 11. VSC-SIPI Miscellanous dalSLset 



File 


Description 


Size 


Tvne 


4.1.01 


Girl 


256 


Color 


4.1.02 


Couple 


256 


Color 


4.1.03 


Girl 


256 


Color 


4. 1 .04 


Girl 


256 


Color 


4.1.05 


House 


256 


Color 


4. 1 .06 




256 


Color 


4.1.07 


Jelly beans 


256 


Color 


4.1.08 


Jelly beans 


256 


Color 


4.2.01 


Splash 


512 


Color 


4.2.02 


Girl (Tiffany) 


512 


Color 


4.2.03 


Mandrill (a.k.a. Baboon) 


512 


Color 


4.2.04 


Girl (Lena, or Lenna) 


512 


Color 


4.2.05 


Airplane (F-16) 


512 


Color 


4.2.06 




512 


Color 


4.2.07 


Peppers 


512 


Color 


5.1.09 


Moon surface 


256 


Gray 


5.1.10 


Aerial 


256 




5.1.11 


Airplane 


256 


Gray 


5.1.12 


Clock 


256 


Gray 


5.1.13 


Resolution, chsrt 


256 


Gray 


5.1.14 


Chemics.! plsnt 


256 




5.2.08 


Couple 


512 


Gray 


5.2.09 


Aerial 


512 


Gray 


5.2.10 


Stream and bridge 


512 


Gray 


5.3.01 


Man 


1024 




5.3.02 


Airport 


1024 


Gray 


7.1.01 


Truck 


512 


Gray 


7.1.02 


Airplane 


512 




7.1.03 


Tank 


512 


Gray 


7.1.04 


Par and APP*; 


512 




7.1.05 


Truck and APCs 


512 


Gray 


7.1.06 


Track and APCs 


512 


Gray 


7.1.07 




512 




7.1.08 


APC 


512 


Gray 


7.1.09 


Tank 


512 


Gray 


7.1.10 


Car and APCs 


512 


Gray 


7.2.01 


Airplane (U-2) 


1024 


Gray 


boat.512 


Fishing Boat 


512 


Gray 


elame.512 


Girl (Elaine) 


512 


Gray 


house 


House 


512 


Color 


gray21.512 


21 level step wedge 


512 


Gray 


numbers.512 


256 level test pattern 


512 


Gray 


ruler.512 


Pixel raler 


512 


Gray 


testpat.lk 


General test pattern 


1024 


Gray 



• prevent the possible unfair comparisons, because other compared algorithms donot have this stage 

• separate the influences brought by these embedded random noises from Latin square encryption primitives 

However, the probabilistic encryption integrated in the LSIC does enhance the cipher security, because without this 
stage the two ciphertext images Ci and C2 by encrypting a plaintext image P twice with a key K are always 
identical,/, Ci = C2, which provides an adversary plaintext information from ciphertext information that he/she 
should never know. In contrast, LSIC with LSB Noise Embedding is able to encrypt a plaintext image to distinctive 
ciphertext images because of the embedded noise from time to time are not necessarily the same and thus completely 
prevent the risk of information leakage in the deterministic encryption. 



B. Simulation Results 



Image encryption results using the proposed Latin square image cipher are shown in Fig. 12 As can be seen, 
the proposed LSIC is able to 

• generate unintelligible ciphertext images no matter what contents or types of the plaintext images; 

• make the statistics of ciphertext images to be uniform-like; 

• perfectly reconstruct the plaintext images from the corresponding ciphertext images. 
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It is also worthwhile to note that the test images 5.1.13, ruler.512 and testpat.lk are very difficult cases for image 
encryption because they have large size homogeneous regions, i.e. they have extremely tilted histograms. However, 
the proposed Latin square image cipher encrypts those two images successfully. 

In regard to encryption speed, the proposed Latin square image cipher is able to encrypt each 256 x 256 image 
block (pixel in 8-bit byte) with 1.2331±0. 10089 seconds for all test images pulled from the USC-SIPI Miscellaneous 
dataset under the MATLAB implementation. Therefore, roughly speaking, the encryption/decryption speed of the 
proposed Latin square image cipher about 0.415M6/s (Megabits per second) or equivalently 3.32Af6/s per round 
under MATLAB. In regard to decryption speed, the proposed Latin square image cipher is able to decrypt each 
256 X 256 image block (pixel in 8-bit byte) with 0.7137 ± 0.06222 seconds (equivalently 5.74M6/s per round) for 
all test encrypted images from the USC-SIPI Miscellaneous dataset. The decryption speed is faster than encryption 
because Latin Square S-boxes defined in Eqs. ( 14i and (17i are asymmetric for encryption and decryption (see Fig. 

m. 



V. Security Analysis 

A good image encryption algorithm/cipher should be able to resist all known types of attacks and cryptanalysis. 
Its performance should be independent of a used encryption key and a plaintext image. First of all, this cipher should 
be theoretically secure against known attacks. Secondly, a good image encryption algorithm/cipher should have both 
confusion property and diffusion property, which are proposed in [27 | as criteria for secure ciphers. The confusion 
property implies the cipher ability to encrypt an arbitrary plaintext image into random-like ciphertext, so that an 
adversary cannot extract any information about the plaintext image from ciphertext images. The diffusion property 
implies the cipher has capability to diffuse even a slight change in a plaintext image over the entire ciphertext 
image. Furthermore, a good image encryption algorithm/cipher should also be secure with respect to attacks against 
encryption keys [28] and robust under noisy environment [24|. In this section, we discuss the security of the 
proposed LSIC under all above analysis and deeply study the LSIC performance with extensive simulation results 
and comparisons. 



A. Theoretical Analysis 

1 ) Brute-Force Attack: In cryptography, a brute-force attack, or exhaustive key search, is a strategy that is able 
to crack any encrypted data by searching all possible keys in the key space until the right key is found. It is well 
known that the key length, i.e. the size of the key space used in an encryption system, determines the practical 
feasibility of performing a brute-force attack: longer keys means more difficulties than shorter ones in the terms of 
the time complexity. 

The proposed Latin square image cipher has a key space of 256 bits, which is larger than or equal to the 
mainstream cipher standards such as DES [4| and AES [5], where the later one 192-bit key is known to be large 
enough to resist brute-force attacks. Therefore, the proposed Latin square image cipher also has a sufficient large 
key space against brute-force attack. 

It is worthwhile to note the theoretical key space of the proposed Latin square image cipher has a even larger 
key space than 256-bit. As stated in Section III, the proposed cipher depends on eight 256 x 256 Latin squares. 
Regardless of all other methods for generating these Latin square, consider the Latin square generator in Algorithm 
1 where a Latin square is uniquely determined by two length 256 permutation sequence, then it is not difficult to 
see that the number of Latin squares can be generated by Algorithm 1 is 256! x 256! 2'^'^^'^. Consequently, the 
theoretical key size allowed in the cipher is about (2^^^^)^ = 2^^^^'*, i.e. about 26944 bits. This implies that the 
adopted key length in the Latin square image cipher can be easily increased to against brute-force attacks in future, 
when the current 256-bit key length is no longer long enough. Therefore, the proposed Latin square image cipher 
has a extremely large key space to against brute-force attacks. 

2) Ciphertext and Plaintext Attacks: In cryptography, ciphertext and plaintext are commonly used in attack 
models to analyze the security of an encryption system. Specifically speaking, we consider a ciphertext-only attack 
assuming that an adversary is only able to access a set of ciphertext, a known plaintext attack assuming that an 
adversary is able to access a set of plaintexts and corresponding ciphertexts, and a chose-plaintext attack assuming 
that an adversary is able to access arbitrary plaintexts to be encrypted and obtains the corresponding ciphertexts. As 
can be seen from attack assumptions, the chosen-plaintext attack awards an adversary the most information about 
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Fig. 12. Sample results of encrypting and decrypting images using the Latin square image cipher (1st column: plaintext images; 2nd column: 
histograms of plaintext images; 3rd column: ciphertext images; 4th column: histograms of ciphertext images; and 5th column: decipertedtext 
images.) 
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plaintexts and ciphertexts among the three attack models. Therefore, if a cipher is able to resist chosen-plaintext 
attacks, then it is also immune to ciphertext-only and known-plaintext attacks. 

The proposed Latin square image cipher has good resistance to chosen-plaintext attacks because of three reasons 
listed below: 

• Nonlinear Key Translation: instead of directly applying the key the cipher for encryption in a conventional 
block cipher, e.g. key whitening, an encryption key used in the proposed Latin square image cipher is first 
translated to eight 256 x 256 Latin squares and then used for contructing key dependent encryption primitives 
for image encryption. Therefore, the relation between the key and ciphertext is more involved and complicated 
than the conventional key usage. 

• Probabilistic Encryption: the proposed Latin square image cipher has a pre-process realizing probabilistic 
encryption by introducing a small amount of noise to the LSB of a plaintext image. As a result, the cipher is 
able to generate significantly different ciphertext images even when the key and the plaintext image are both 
unchanged, but to leave deciphered images visually unchanged. This way helps the Latin square image cipher 
achieves semantically secure BOl . 

• Dynamic S-boxes and P-boxes: Since all S-boxes and P-boxes used in the Latin square image cipher are 
dependent on Latin squares used in each round, they aie dynamic instead of fixed. This fact implies that even 
if an adversary is able to crack an encryption key, all other keys are still safe because P-boxes and S-boxes 
associated with these keys are unbroken. As a result, ciphertext images encrypted by other keys are still safe. 

Therefore, the proposed Latin square image cipher has good resistance to these ciphertext and pliantext attacks. 



B. Confusion Property Analysis 

The confusion property f2T| of a secure cipher emphasizes the ability of making the relationship between the key 
and the ciphertext as complex and involved as possible. If a cipher has good confusion property, it is very difficult 
to find the encryption key, even if a large number of plaintext-ciphertext pairs produced by the same encryption key 
are available for an adversary. In other words, a cipher with good confusion property should have good resistances 
to known-plaintext attacks |28] and ciphertext-only attacks [28 1. To demonstrate the excellent confusion property 
of the proposed Latin square image cipher, we perform two types of statistical analysis: entropy and correlation. 

1 ) Entropy Analysis: Information entropy is a quantitative measurement of how random a signal is. Because a 
digital image is a type of digital signal. The entropy analysis can be used to measure the randomness of a test 
image. The information entropy of an image can be defined as Eq. ([25]), where X denotes the test image, x-i denotes 
the i*^^ possible value in X, and Pr(xi) is the probability of X = Xi, i.e. the probability of pulling a random pixel in 
X and its value is Xi. The maximum of H{X) is achieved when X is uniformly distributed as shown in Eq. p6l ), 
i.e. X has a complete flat histogram and the symbol F denotes the number of allowed intensity scales associated 
with the image format. For example, F = 256 is the number of intensity scales of a grayscale image or a RGB 
color image. 

n 

H{X) = -Yl Pr(^0 log2 Pr(^i) (25) 

i=l 

Prix = Xi) = l/F (26) 

For the test images in Table [l| F = 256 and therefore the upper-bound of information entropy is 8. The comparison 
results of information entropy between the proposed Latin square image cipher and peer algorithms are listed in 
Table [Ilj where the method with the highest entropy score is shaded for each test image. These results show that 
the proposed Latin square image cipher outperforms listed peer image encryption algorithms/methods. 



The results of information entropy analysis for the complete set of test images are listed in Table III These 
results illustrate that the proposed Latin square image cipher 

• obtains ciphertext images whose information entropy scores much closer to the entropy upper-bound than those 
encrypted by other encryption methods; 

• is effective and robust to different image contents and pixel intensity statistics; 

• outperforms the conventional AES cipher implemented by bmpPacker and the method proposed in ^ in most 
cases. 
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TABLE II 

Algorithm comparison with information entropy 



p 


Method 


Entropy 




Chen et al , 2004 (6) 


7.9938 


L 


Xiang et al. ,2006 


7.9950 




|44| 




e 


Wong et al. , 2003 


7.9690 




|45| (reported in (46)) 




n 


Zhang et al. , 2010 


7.9980 




147] 




n 


Zhu et al. , 2010 (48) 


7.9901 


a 


Sun et al. ,2010 |46l 


7.9965 




Ours 


7.997161 



P 


ChanneI\Method 


Wang et 
al. 2011 


Entropy 

Liu et Patidar et al. 
al 2011 2011 fsTI 


Ours 






m 


15*01 








Red 


7.999324 


7.9871 


7.9957 


7.999351 


4.2.04 


Green 


7.999371 


7.9802 


7.9963 


7.999416 


(ColorLenna) 


Blue 


7.999292 


7.9878 


7.9951 


7.999314 




Red 


N/a 


7.9877 


7.9952 


7.999309 


4.2.07 


Green 


N/a 


7.9881 


7.9959 


7.999285 


iColorPepper) 


Blue 


N/a 


7.9877 


7.9954 


7.999258 



TABLE III 

Results of information entropy analysis 









Ciphertext 




File 


Plaintext 


Ours 


bmpPacker-AES- 


Chen et al. , 2004(6) 


4.1.01 


6.898139 


7.998963 


7.988561 


7.998430 


4.1.02 


6.294498 


7.999027 


7.979298 


7.999061 


4.1.03 


5.970916 


7.999122 


7.990187 


7.999113 


4.1.04 


7.426957 


7.998948 


7.990089 


7.999032 


4.1.05 


7.068625 


7.999140 


7.981035 


7.998891 


4.1.06 


7.537089 


7.998936 


7.989820 


7.998902 


4.1.07 


6.583485 


7.999241 


7.990487 


7.999033 


4.1.08 


6.852716 


7.999199 


7.997651 


7.999182 


4.2.01 


7.242831 


7.999808 


7.998747 


7.999760 


4.2.02 


6.416494 


7.999756 


7.997469 


7.999763 


4.2.03 


7.762436 


7.999765 


7.997581 


7.999752 


4.2.04 


7.750197 


7.999799 


7.997733 


7.999772 


4.2.05 


6.663908 


7.999756 


7.997463 


7.999746 


4.2.06 


7.762170 


7.999789 


7.997550 


7.999747 


4.2.07 


7.669826 


7.999766 


7.908851 


7.999781 


5.1.09 


6.709312 


7.997266 


7.906739 


7.997011 


5.1.10 


7.311807 


7.997667 


7.941872 


7.997144 


5.1.11 


6.452275 


7.996775 


7.929405 


7.99652 


5.1.12 


6.705667 


7.996730 


7.363568 


7.996729 


5.1.13 


1.548314 


7.997299 


7.903557 


7.997143 


5.1.14 


7.342433 


7.997022 


7.992544 


7.997271 


5.2.08 


7.201008 


7.999359 


7.987446 


7.999257 


5.2.09 


6.993994 


7.999240 


7.984631 


7.999199 


5.2.10 


5.705560 


7.999250 


7.998720 


7.999303 


5.3.01 


7.523737 


7.999820 


7.998599 


7.999801 


5.3.02 


6.830330 


7.999819 


7.990318 


7.999831 


7.1.01 


6.027415 


7.999353 


7.989542 


7.999321 


7.1.02 


4.004499 


7.999284 


7.983057 


7.999302 


7.1.03 


5.495740 


7.999325 


7.993621 


7.999192 


7.1.04 


6.107418 


7.999315 


7.983570 


7.999313 


7.1.05 


6.563196 


7.999302 


7.985406 


7.999296 


7.1.06 


6.695283 


7.999279 


7.985253 


7.999268 


7.1.07 


5.991599 


7.999437 


7.990304 


7.999221 


7.1.08 


5.053448 


7.999371 


7.983746 


7.999236 


7.1.09 


6.189814 


7.999412 


7.985088 


7.999271 


7.1.10 


5.908790 


7.999391 


7.998478 


7.999235 


7.2.01 


5.641454 


7.999811 


7.985051 


7.999829 


boat.512 


7.191370 


7.999353 


7.989566 


7.999401 


elaine.512 


7.505984 


7.999252 


6.492821 


7.999231 


gray21.512 


4.392295 


7.999364 


7.979908 


7.999772 


house 


7.485787 


7.999786 


7.997553 


7.999781 


numbers. 5 1 2 


7.729247 


7.999263 


6.893247 


7.999201 


ruler512 


0.500033 


7.999258 


7.903134 


7.999298 


testpat. Ik 


4.407726 


7.999809 


7.903132 


7.999800 




# Best 


31 





13 


Statistics 


Mean 


7.999105 


7.905055 


7.9990486 




Std 


0.000856 


0.290957 


0.000903 
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2) Adjacent Pixel Correlation Analysis: Adjacent pixel correlation (APC) is a quantitative measurement for image 
randomness. It measures the correlations between adjacent pixels within an image. The adjacent pixel correlation 
can be defined as an autocorrelation function as shown in Eq. ( [27] ), where Xt denotes an extracted pixel sequence 
and XtJ^i denotes a pixel sequence where each pixel is the adjacent pixel of the con^esponding pixel in Xt, fi is the 
mean value defined by Eq. ( [28| ) and a is the standard deviation defined by Eq. ( [29] ), the definition of mathematical 
expectation is given in Eq. ( |30l ). 

APC = E[{Xt-fi)iXt+i-fi)]/a^ (27) 
fi = E[X] (28) 
a = ^E[{X - ^)2] (29) 

N 

E[x] = ^Xi/N (30) 

i=l 

The closer to zero this correlation coefficient is, the weaker relationship between the pixel sequence and its adjacent 
pixel sequence. Because the adjacent pixel sequence can be extracted from the horizontal, vertical, or diagonal 
direction, the adjacent pixel correlation will be analyzed with respect to these three directions. 




(a) 



(e) 




(b) 























(f) 




(c) 



(g) 




(d) 
(h) 



Fig. 13. Adjacent pixels correlations before and after encryption - (a) plaintext Lenna P, (b) horizontal adjacent pixels in P, (c) vertical 
adjacent pixels in P, (d) diagonal adjacent pixels in P, (e) ciphertext C = <£{P, K), (f) horizontal adjacent pixels in C, (g) vertical adjacent 
pixels in C, and (h) diagonal adjacent pixels in C. 



TABLE IV 

Comparison of APC scores for the image Lenna 



Encryption Method Horizontal Vertical 



Diagonal 



Original Lenna 
Awad, 2011 1161 
Mao et al. , 2004 O 
Liao et al. , 2010 fOl 
Fu et al. , 2011 | 52| 
Ours 



0.9400 
0.0127 
-0.00024 
0.0127 
0.0368 



0.9709 
-0.0093 
-0.24251 
-0.0190 

0.0392 



0.9710 
-0.0059 

0.23644 
-0.0012 

0.0068 



0.0053365 -0.0027616 0.0016621 



Fig. 13 shows the randomly selected 1024 pairs of adjacent pixels along the horizontal, vertical and diagonal 
directions. The horizontal axis of the scatter plot denotes the intensity of one randomly selected pixel and the 



20 



A DRAFT SUBMITTED TO IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 



vertical axis denotes the intensity of its adjacent pixel. The APC results for the test image Lenna are listed in Table 



IV The proposed Latin square image cipher decorrelates adjacent pixels in the plaintext image and outperforms 
the listed encryption algorithms [1I61I . |i6J, IJ7il . [,15,1 . [i52.1 due to its smaller correlation coefficients. 

Table |V] shows the APCs for test plaintext images and their corresponding ciphertext images using the Latin 
square image cipher and peer algorithms, where the best APC score is shaded for each test image. These results 
further demonstrates that the Latin square image cipher outperforms peer algorithms in most trails with the smallest 
mean and standard deviation of APCs. 

TABLE V 

Results of adjacent pixel correlation analysis 





|APC(PIaiiitext)| 




|APC(Ciphertext)| x 10" 


3 




r lie 


A lU 


bmpr acKer- 


Mao et al. , 


Chen et al. , 


Pareek et al. 


Ours 






AES 


2005 [53J 


2004 |6| 


. 2006 |54| 




4.1.01 


955.730 


11.397 


1.780 


1.240 


3.961 


1.382 


4.1.02 


926.227 


13.327 


3.000 


1.973 


8.119 


1.384 


4.1.03 


922.433 


24.657 


1.760 


2.170 


5.314 


1.956 


4.1.04 


959.193 


9.840 


1.443 


0.883 


11.863 


1.097 


4.1.05 


953.143 


11.130 


0.640 


1.437 


9.243 


0.432 


4.1.06 


932.417 


26.303 


1.487 


0.910 


3.994 


0.208 


4.1.07 


979.317 


10.723 


2.050 


1.680 


1.905 


2.572 


4.1.08 


972.013 


11.790 


1.393 


2.187 


2.922 


0.722 


4.2.01 


988.877 


6.757 


0.790 


0.427 


7.686 


0.533 


4.2.02 


945.423 


3.790 


1.137 


1.050 


8.184 


1.402 


4.2.03 


857.587 


6.603 


1.083 


0.897 


7.076 


1.036 


4.2.04 


978.600 


6.940 


1.523 


0.743 


2.325 


0.557 


4.2.05 


943.307 


7.493 


1.067 


0.587 


2.833 


2.199 


4.2.06 


959.510 


7.117 


1.263 


0.977 


8.145 


1.950 


4.2.07 


974.480 


5.347 


1.290 


0.990 


0.815 


0.146 


5.1.09 


911.973 


59.040 


3.053 


5.233 


0.779 


4.829 


5.1.10 


853.567 


61.290 


7.663 


7.397 


7.672 


0.188 


5.1.11 


890.580 


33.700 


2.580 


4.567 


4.110 


1.766 


5.1.12 


954.440 


45.793 


4.097 


4.943 


11.780 


3.443 


5.1.13 


831.833 


162.693 


4.160 


3.697 


17.896 


2.424 


5.1.14 


892.687 


67.513 


4.340 


1.407 


8.989 


4.538 


5.2.08 


884.630 


10.943 


1.600 


2.137 


6.210 


0.615 


5.2.09 


850.460 


18.137 


1.817 


1.253 


6.024 


0.168 


5.2.10 


917.130 


21.857 


1.403 


1.070 


1.512 


2.442 


5.3.01 


974.543 


3.887 


1.400 


1.203 


0.297 


0.752 


5.3.02 


890.127 


3.523 


0.863 


0.730 


1.944 


0.158 


7.1.01 


926.903 


10.853 


1.890 


2.217 


6.857 


0.670 


7.1.02 


928.663 


13.270 


3.263 


1.747 


6.561 


1.017 


7.1.03 


925.900 


22.620 


0.957 


1.877 


11.244 


0.352 


7.1.04 


958.447 


8.640 


1.297 


0.780 


2.139 


2.735 


7.1.05 


914.000 


22.010 


1.857 


1.397 


6.582 


1.407 


7.1.06 


908.887 


22.580 


1.373 


1.170 


1.338 


0.331 


7.1.07 


866.260 


21.397 


0.483 


1.577 


2.992 


0.432 


7.1.08 


934.933 


12.813 


1.257 


2.833 


6.279 


0.045 


7.1.09 


935.977 


24.920 


0.633 


1.213 


10.011 


0.025 


7.1.10 


946.177 


20.797 


2.547 


1.707 


6.344 


2.182 


7.2.01 


951.530 


5.330 


1.180 


0.613 


4.317 


0.273 


boat.512 


942.427 


19.453 


1.207 


0.887 


9.823 


2.120 


elaine.512 


969.757 


14.950 


1.607 


2.777 


7.839 


4.381 


house 


993.220 


116.010 


1.213 


2.507 


10.950 


0.757 


gray21.512 


941.383 


5.990 


1.590 


1.280 


12.766 


1.359 


numbers.512 


692.123 


26.230 


2.257 


1.733 


11.103 


1.948 


ruler.512 


313.253 


51.003 


1.947 


0.890 


3.126 


1.270 


testpat. Ik 


752.093 


45.560 


1.557 


1.067 


0.720 


0.703 




#Best 





2 


17 


2 


23 


Statistics 


Mean 


25.364 


1.882 


1.820 


6.195 


1.384 




Std 


30.331 


1.275 


1.406 


3.968 


1.222 



C. Diffusion Property Analysis 

The diffusion property describes the cipher ability of diffusing a change in a plaintext image over its corresponding 
ciphertext image. If a cipher is weak in diffusion, it might be vulnerable against the differential attacks ll28l . In 
image encryption, the number of changing pixel rate (NPCR) and the unified averaged changed intensity (UACI) are 
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two most common quantities used for evaluating the resistance of differential attacks against an image encryption 
method/algorithm/cipher IS, IHl, ifBl . 

Mathematically, the NPCR AA(C\ C^) and UACI U{C^,C'^) scores between two ciphertext images and C^, 
whose plaintext images are slightly different, can be defined as Eqs. ( [3T] ) and (|32]), respectively. The image of their 
difference Diff{i,j) is defined in Eq. (33 1 and denotes whether two pixels located at the image grid of 
and are equal. The symbols T and S denote the number of pixels in the ciphertext image and the number of 
allowed pixel intensity scales, respectively. 



JV{C\C^ 



M N 



DiffiiJ) 



X 100% 



M N 

EE 

i=l j=l 



CHi,j)-C\iJ)\ 
S-T 



X 100% 



DiffiiJ] 



0, if C\i,j) = CHi,j) 

1, if C\i,j)^C\i,j) 



(31) 



(32) 



(33) 



It is noticeable that NPCR concentrates on the absolute number of pixels which changes values in differential 
attacks, while the UACI focuses on the averaged difference between the paired ciphertext images. 



Fig. 14 shows the sample results of the diffusion property of the Latin square image cipher. The plaintext image 
differs from only one pixel on Lenna's shoulder. and are corresponding ciphertext images using the 
same encryption key. As can be seen, a single pixel difference between P^ and P^ diffuses to the entire cipher 
image and leads to a significant difference between and C^. Table VI shows corresponding NPCR and UACI 



scores of and using the proposed Latin square image cipher and other encryption algorithms. 




Fig. 14. Sample results of the cipher diffusion property - (a)plaintext Lenna original P^, (b) plaintext Lenna modified P^, (c) plaintext 
difference - P'^\, (d) ciphertext = €{P^,K), (e) ciphertext = €{P'^,K), and (f) ciphertext difference - 



TABLE VI 

Comparison of the NPCR and UACI scores of the image Lenna 



Encryption Method 


NPCR% 


UACI% 


Zhu et al. , 2011 |14| 


99.63 


33.48 


Chen et al. , 2004 ||6J 


99.25 


33.14 


Liao et a/. , 2010 (Ts) 


99.65 


33.48 


Ours 


99.6689 


33.4936 
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TABLE VII 
Results of Diffusion Properties 



File 


UACI% 


NPCR% 


4.1.01 


33.4402 


99.5885 


4.1.02 


33.3715 


99.6272 


4.1.03 


33.5130 


99.6297 


4.1.04 


33.5303 


99.6023 


4.1.05 


33.4018 


99.6028 


4.1.06 


33.5235 


99.5956 


4.1.07 


33.5855 


99.6302 


4.1.08 


33.4874 


99.6089 


4.2.01 


33.4763 


99.6058 


4.2.02 


33.4431 


99.6179 


4.2.03 


33.5031 


99.6120 


4.2.04 


33.5113 


99.6146 


4.2.05 


33.4475 


99.6231 


4.2.06 


33.4145 


99.6113 


4.2.07 


33.4708 


99.6031 


5.1.09 


33.6739 


99.6170 


5.1.10 


33.5039 


99.6170 


5.1.11 


33.5079 


99.5529 


5.1.12 


33.4536 


99.6033 


5.1.13 


33.3681 


99.6033 


5.1.14 


33.6094 


99.5636 


5.2.08 


33.5379 


99.6067 


5.2.09 


33.3704 


99.6151 


5.2.10 


33.5169 


99.5987 


5.3.01 


33.5039 


99.6115 


5.3.02 


33.4856 


99.6077 


7.1.01 


33.5084 


99.5918 


7.1.02 


33.4485 


99.6124 


7.1.03 


33.5236 


99.6346 


7.1.04 


33.5454 


99.6029 


7.1.05 


33.3958 


99.6063 


7.1.06 


33.4756 


99.6262 


7.1.07 


33.4469 


99.5953 


7.1.08 


33.5569 


99.6128 


7.1.09 


33.3964 


99.5953 


7.1.10 


33.3942 


99.5880 


7.2.01 


33.4813 


99.6142 


boat.512 


33.3792 


99.5941 


elame.512 


33.4430 


99.6185 


gray21.512 


33.4651 


99.6174 


house 


33.4570 


99.6063 


numbers. 5 12 


33.4484 


99.6258 


ruler.512 


33.4471 


99.6002 


testpat.lk 


33.4748 


99.6018 



D. Key Sensitivity Analysis 

A secure cipher should have high key sensitivities in both encryption and decryption processes. Simulation results 



with respect to encryption and decryption stages are shown in Fig. 15 and 16 The encryption keys in our simulations 
are listed below in the HEX format: 

= 'B'dBbED7bSbCSBlbD7AMED27lAA2,A2>A'iAmBm2,2lCll7b^D{)FDEUmWiMBC^' 
K"^ = '59S5^L'7585C8S15L'7454^L>27lAA3A3A3y407-B00321C11759L>0FZ?£;340234384SC8' 
= '39S5FZ)7585C8515L>7454FD271>l>l3A3A3y407-B00321C11759L>0FZ?£;340234384SC8' 

It is noticeable that differs only for the last bit; differs only for the first bit; and differs 
only for the first and the last bit. Although the hamming distances between K^,K^ and are very small, i.e. they 
are very similar to each other, their corresponding ciphertext images C^,C^ and have significant differences. 
These can be verified by the fact that their differences i.e. — C^|, {C"^ — and |C'^ — are random-like 



images as shown in Fig. 15 The example shows the proposed Latin square image cipher is very sensitive to the 



encryption key in the encryption stage. 



Similar results can also be obtained in the decryption stage as shown in Fig. 16 We decrypt the same ciphertext 



image using the encryption keys K^,K^ and K^, respectively. As can be seen, using the correct encryption 
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key K^, decrypted image perfecdy reconstructs the original plaintext image. However, decrypted images 
and using key K'^ and are random-like ones which do not contain any information related to the original 
plaintext image. 




(e) (f) (g) 



Fig. 15. Key sensitivity analysis for the encryption stage - (a) plaintext P Lenna, (b) ciphertext = ^{P,K^), (c) ciphertext = 
e{P,K'^), (d) ciphertext = £(P, isT^), (e) ciphertext difference \C^ - C^|, (f) ciphertext difference - C^|, and (g) ciphertext 
difference -C^| 




Fig. 16. Key sensitivity analysis for the decryption stage - (a) ciphertext C^, (b) decipheredtext — T){C^ , K^), (c) decipheredtext 
= D{C\K'), and (d) decipheredtext = S)(C\ K'^) 



E. Noise Robustness Analysis 

A good cipher should also be able to tolerate a certain amount of noise, e.g. noise in a channel or decoding errors. 
As discussed previously, the proposed Latin square image cipher adopts an asymmetric structure for encryption 
and decryption, and one noisy pixel in ciphertext image will only propagate in a factor of two in each round. Fig. 



17 shows the results of the decryption robustness of the Latin square image cipher against various noise ratio in 
ciphertext images. After decryption, noise concentrating in the center square of a ciphertext image now distributed 
almost evenly over the deciphered image. Due to the psychovisual redundancy within an image, human vision 
system is still able to recognize the deciphered image contents as long as it is not fully unintelUgible. 

VL Conclusion 

In this paper, we introduce a symmetric-key Latin square image cipher with probabilistic encryption for grayscale 
and color images. This new image cipher has distinctive characteristics: 1) LSIC is purely defined on integers, and 
thus it can be easily implemented in software and hardware without causing finite precision or descritization 
problems; 2) LSIC constructs all encryption primitives based on one keyed Latin square, including whitening. 
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substitution and permutation, and thus it attains high sensitivities to any key change; 3) LSIC encrypts image pixels 
in the unit of byte instead of bit and processes a 256 x 256 plaintext image at one time, and thus it is efficient 
for image data; 4) LSIC arranges all these encryption primitives in the framework of substitution-permutation 
network (SPN) and thus it attains good confusion and diffusion properties fTT); 5) LSIC also integrates probabilistic 
encryption in a pre-processing stage and thus it allows to encrypt a plaintext image into different ciphertext images 
when the same encryption key is used; and 6) LSIC's decryption stage is robust against a certain level of noise 
and thus it is suitable to transmit cipher data over a corrupted channel. The effectiveness and robustness of LSIC 
have been demonstrated by extensive simulation results using the complete USC-SIPI Miscellaneous image dataset. 
Theoretical security analysis shows that LSIC has good resistances to brute-force attacks, ciphertext-only attacks, 
known-plaintext attacks and chosen-plaintext attacks. Experimental security analysis with comparisons to peer 
algorithms indicate that LSIC outperforms or reaches state of the art. All these analysis and results demonstrate 
that the LSIC is very suitable for digital image encryption. Finally, we open source the LSIC MATLAB code under 
webpage https://sites.google.com/site/tuftsyuewu/source-code . 

Although in our simulations we have not found any 'weak' Latin squares, it is still an open question whether 
such 'weak' Latin squares exist. Meanwhile, it is natural to ask the next question that if such 'weak' Latin squares 
exist, how to recognize them in the very beginning and thus we are able to avoid using these Latin squares for 
encryption. Eventually, we need some means to evaluate the suitability of a Latin square for image encryption. 
However, Neither question is answered in this paper. 
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